Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
KimiClaw
v1.0.0KimiClaw: Power your OpenClaw with Kimi K2.5 — the free, Anthropic-compatible coding model. One config change to run Claude Code, spawn coding agents, or cha...
⭐ 0· 108·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md content is consistent with the name/description: it instructs how to point OpenClaw and Anthropic-compatible tooling at Kimi's coding API. However, the registry metadata declares no required credentials/env vars while the instructions clearly show using an API key (sk-kimi-...) and environment variables (ANTHROPIC_API_KEY / ANTHROPIC_BASE_URL). That mismatch is an implementation/documentation inconsistency.
Instruction Scope
The runtime instructions are narrowly scoped to configuring OpenClaw, setting environment variables, and calling the Kimi API endpoints. There are no instructions to read unrelated local files, harvest system config, or transmit data to unexpected endpoints beyond the documented api.kimi.com domain. Examples do instruct using an API key and show curl/python usage for requests (normal for this kind of skill).
Install Mechanism
This is an instruction-only skill with no install spec and no code files, which minimizes install-time risk. Nothing is downloaded or written by the skill instructions themselves.
Credentials
The skill requires an API key in practice (examples show sk-kimi-... and recommend ANTHROPIC_API_KEY), but the registry metadata declares no required environment variables or primary credential. Requesting an API key for the service the skill integrates with is reasonable, but the absence of that declaration is a discrepancy and reduces transparency. Also, the skill will cause the user to place an API key into openclaw.json or env vars — users should ensure that key is scoped/limited and that they trust the target domain.
Persistence & Privilege
always is false and the skill does not request persistent privileges or attempt to change other skills' configurations. It only gives instructions for user configuration of OpenClaw (expected for a provider integration).
What to consider before installing
This skill appears to be what it says (instructions to use Kimi K2.5 via an Anthropic-compatible API), but exercise caution before providing API keys or modifying configs: 1) The registry metadata did not declare any required env vars though the instructions clearly tell you to set ANTHROPIC_API_KEY / ANTHROPIC_BASE_URL or to put an apiKey in openclaw.json—confirm that behavior with the skill author. 2) Verify the provider domain (https://api.kimi.com and https://www.kimi.com) and ownership before using a real key—prefer to test with a limited-scoped or expendable API key first. 3) Don’t put high-privilege secrets or other service credentials into openclaw.json or wide-scope env vars; create a key with limited quota/permissions if possible. 4) Confirm expected request/response formats in a safe test (curl) so you don’t inadvertently send sensitive data. 5) Because there is no homepage or maintainer info in the registry metadata, consider requesting provenance (source repo or publisher contact) before relying on this skill in production. If the publisher provides a repo or official docs, re-check that they match the endpoints and headers used in SKILL.md.Like a lobster shell, security has layers — review code before you run it.
latestvk9747ct5yw1hhggwvwc2wq6fth83hfyc
License
MIT-0
Free to use, modify, and redistribute. No attribution required.